summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorkungurtsev <[email protected]>2025-02-27 12:39:26 +0100
committerGitHub <[email protected]>2025-02-27 12:39:26 +0100
commit95046853a1fdd3f93bb4e6bca233bc600852cf19 (patch)
tree3d527187b4ab6d0a18c92df2d3fd883621de7459
parentcc8a05f2f094d78a1d938512096e3acd345243df (diff)
Test tenant access to auth sys views (#15121)
Diffstat
-rw-r--r--ydb/core/sys_view/ut_kqp.cpp325
1 files changed, 293 insertions, 32 deletions
diff --git a/ydb/core/sys_view/ut_kqp.cpp b/ydb/core/sys_view/ut_kqp.cpp
index 5975bb62918..0589ba9f6e2 100644
--- a/ydb/core/sys_view/ut_kqp.cpp
+++ b/ydb/core/sys_view/ut_kqp.cpp
@@ -132,11 +132,19 @@ void SetupAuthAccessEnvironment(TTestEnv& env) {
env.GetClient().CreateUser("/Root", "user2", "password2");
env.GetClient().CreateUser("/Root/Tenant1", "user3", "password3");
env.GetClient().CreateUser("/Root/Tenant1", "user4", "password4");
+ env.GetClient().CreateUser("/Root/Tenant2", "user5", "password5");
+
+ // Note: in real scenarios user6tenant1admin should be created in /Root/Tenant1
+ // but it isn't supported by test framework
+ env.GetClient().CreateUser("/Root", "user6tenant1admin", "password6");
+ env.GetClient().ModifyOwner("/Root", "Tenant1", "user6tenant1admin");
{
NACLib::TDiffACL acl;
acl.AddAccess(NACLib::EAccessType::Allow, NACLib::GenericUse, "user1rootadmin");
acl.AddAccess(NACLib::EAccessType::Allow, NACLib::GenericUse, "user2");
+ acl.AddAccess(NACLib::EAccessType::Allow, NACLib::GenericUse, "user6tenant1admin");
+ acl.AddAccess(NACLib::EAccessType::Allow, NACLib::GenericFull, "root@builtin");
env.GetClient().ModifyACL("", "Root", acl.SerializeAsString());
}
}
@@ -146,6 +154,13 @@ void CheckAuthAdministratorAccessIsRequired(TScanQueryPartIterator& it) {
"Administrator access is required");
}
+void CheckEmpty(TScanQueryPartIterator& it) {
+ auto expected = R"([
+
+ ])";
+ NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
+}
+
class TYsonFieldChecker {
NYT::TNode Root;
NYT::TNode::TListType::const_iterator RowIterator;
@@ -2244,21 +2259,40 @@ Y_UNIT_TEST_SUITE(SystemView) {
SetupAuthAccessEnvironment(env);
TTableClient client(env.GetDriver());
+ // Cerr << env.GetClient().Describe(env.GetServer().GetRuntime(), "/Root/Tenant1").DebugString() << Endl;
+
{ // anonymous login doesn't give administrative access as `AdministrationAllowedSIDs` isn't empty
auto driverConfig = TDriverConfig()
.SetEndpoint(env.GetEndpoint());
auto driver = TDriver(driverConfig);
TTableClient client(driver);
- auto it = client.StreamExecuteScanQuery(R"(
- SELECT Sid
- FROM `Root/.sys/auth_users`
- )").GetValueSync();
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/.sys/auth_users`
+ )").GetValueSync();
- auto expected = R"([
+ CheckEmpty(it);
+ }
- ])";
- NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/Tenant1/.sys/auth_users`
+ )").GetValueSync();
+
+ CheckEmpty(it);
+ }
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/Tenant2/.sys/auth_users`
+ )").GetValueSync();
+
+ CheckEmpty(it);
+ }
}
{ // user1rootadmin is /Root admin
@@ -2280,6 +2314,7 @@ Y_UNIT_TEST_SUITE(SystemView) {
auto expected = R"([
[["user1rootadmin"]];
[["user2"]];
+ [["user6tenant1admin"]];
])";
NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
}
@@ -2296,6 +2331,18 @@ Y_UNIT_TEST_SUITE(SystemView) {
])";
NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
}
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/Tenant2/.sys/auth_users`
+ )").GetValueSync();
+
+ auto expected = R"([
+ [["user5"]];
+ ])";
+ NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
+ }
}
{ // user2 isn't /Root admin
@@ -2326,15 +2373,64 @@ Y_UNIT_TEST_SUITE(SystemView) {
FROM `Root/Tenant1/.sys/auth_users`
)").GetValueSync();
- auto expected = R"([
+ CheckEmpty(it);
+ }
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/Tenant2/.sys/auth_users`
+ )").GetValueSync();
+
+ CheckEmpty(it);
+ }
+ }
+
+ { // user6tenant1admin is /Root/Tenant1 admin
+ auto driverConfig = TDriverConfig()
+ .SetEndpoint(env.GetEndpoint())
+ .SetCredentialsProviderFactory(NYdb::CreateLoginCredentialsProviderFactory({
+ .User = "user6tenant1admin",
+ .Password = "password6",
+ }));
+ auto driver = TDriver(driverConfig);
+ TTableClient client(driver);
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/.sys/auth_users`
+ )").GetValueSync();
+ auto expected = R"([
+ [["user6tenant1admin"]];
])";
NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
}
- }
- // TODO: fix https://github.com/ydb-platform/ydb/issues/13730
- // and test tenant user and tenant admin
+ // TODO: make it work
+ // {
+ // auto it = client.StreamExecuteScanQuery(R"(
+ // SELECT Sid
+ // FROM `Root/Tenant1/.sys/auth_users`
+ // )").GetValueSync();
+
+ // auto expected = R"([
+ // [["user3"]];
+ // [["user4"]];
+ // ])";
+ // NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
+ // }
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/Tenant2/.sys/auth_users`
+ )").GetValueSync();
+
+ CheckEmpty(it);
+ }
+ }
}
Y_UNIT_TEST(AuthUsers_ResultOrder) {
@@ -2566,6 +2662,7 @@ Y_UNIT_TEST_SUITE(SystemView) {
env.GetClient().CreateGroup("/Root", "group2");
env.GetClient().CreateGroup("/Root/Tenant1", "group3");
env.GetClient().CreateGroup("/Root/Tenant1", "group4");
+ env.GetClient().CreateGroup("/Root/Tenant2", "group5");
{ // anonymous login doesn't give administrative access as `AdministrationAllowedSIDs` isn't empty
auto driverConfig = TDriverConfig()
@@ -2573,12 +2670,32 @@ Y_UNIT_TEST_SUITE(SystemView) {
auto driver = TDriver(driverConfig);
TTableClient client(driver);
- auto it = client.StreamExecuteScanQuery(R"(
- SELECT Sid
- FROM `Root/.sys/auth_groups`
- )").GetValueSync();
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/.sys/auth_groups`
+ )").GetValueSync();
+
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/Tenant1/.sys/auth_groups`
+ )").GetValueSync();
+
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
- CheckAuthAdministratorAccessIsRequired(it);
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/Tenant2/.sys/auth_groups`
+ )").GetValueSync();
+
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
}
{ // user1rootadmin is /Root admin
@@ -2616,6 +2733,18 @@ Y_UNIT_TEST_SUITE(SystemView) {
])";
NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
}
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/Tenant2/.sys/auth_groups`
+ )").GetValueSync();
+
+ auto expected = R"([
+ [["group5"]];
+ ])";
+ NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
+ }
}
{ // user2 isn't /Root admin
@@ -2645,10 +2774,59 @@ Y_UNIT_TEST_SUITE(SystemView) {
CheckAuthAdministratorAccessIsRequired(it);
}
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/Tenant2/.sys/auth_groups`
+ )").GetValueSync();
+
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
}
- // TODO: fix https://github.com/ydb-platform/ydb/issues/13730
- // and test tenant user and tenant admin
+ { // user6tenant1admin is /Root/Tenant1 admin
+ auto driverConfig = TDriverConfig()
+ .SetEndpoint(env.GetEndpoint())
+ .SetCredentialsProviderFactory(NYdb::CreateLoginCredentialsProviderFactory({
+ .User = "user6tenant1admin",
+ .Password = "password6",
+ }));
+ auto driver = TDriver(driverConfig);
+ TTableClient client(driver);
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/.sys/auth_groups`
+ )").GetValueSync();
+
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
+
+ // TODO: make it work
+ // {
+ // auto it = client.StreamExecuteScanQuery(R"(
+ // SELECT Sid
+ // FROM `Root/Tenant1/.sys/auth_groups`
+ // )").GetValueSync();
+
+ // auto expected = R"([
+ // [["group3"]];
+ // [["group4"]];
+ // ])";
+ // NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
+ // }
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT Sid
+ FROM `Root/Tenant2/.sys/auth_groups`
+ )").GetValueSync();
+
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
+ }
}
Y_UNIT_TEST(AuthGroups_ResultOrder) {
@@ -2801,11 +2979,13 @@ Y_UNIT_TEST_SUITE(SystemView) {
env.GetClient().CreateGroup("/Root", "group2");
env.GetClient().CreateGroup("/Root/Tenant1", "group3");
env.GetClient().CreateGroup("/Root/Tenant1", "group4");
+ env.GetClient().CreateGroup("/Root/Tenant2", "group5");
env.GetClient().AddGroupMembership("/Root", "group1", "user1rootadmin");
env.GetClient().AddGroupMembership("/Root", "group2", "user2");
env.GetClient().AddGroupMembership("/Root/Tenant1", "group3", "user3");
env.GetClient().AddGroupMembership("/Root/Tenant1", "group4", "user4");
+ env.GetClient().AddGroupMembership("/Root/Tenant2", "group5", "user5");
{ // anonymous login doesn't give administrative access as `AdministrationAllowedSIDs` isn't empty
auto driverConfig = TDriverConfig()
@@ -2813,12 +2993,32 @@ Y_UNIT_TEST_SUITE(SystemView) {
auto driver = TDriver(driverConfig);
TTableClient client(driver);
- auto it = client.StreamExecuteScanQuery(R"(
- SELECT *
- FROM `Root/.sys/auth_group_members`
- )").GetValueSync();
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT *
+ FROM `Root/.sys/auth_group_members`
+ )").GetValueSync();
+
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT *
+ FROM `Root/Tenant1/.sys/auth_group_members`
+ )").GetValueSync();
- CheckAuthAdministratorAccessIsRequired(it);
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT *
+ FROM `Root/Tenant2/.sys/auth_group_members`
+ )").GetValueSync();
+
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
}
{ // user1rootadmin is /Root admin
@@ -2856,6 +3056,18 @@ Y_UNIT_TEST_SUITE(SystemView) {
])";
NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
}
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT *
+ FROM `Root/Tenant2/.sys/auth_group_members`
+ )").GetValueSync();
+
+ auto expected = R"([
+ [["group5"];["user5"]];
+ ])";
+ NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
+ }
}
{ // user2 isn't /Root admin
@@ -2885,10 +3097,59 @@ Y_UNIT_TEST_SUITE(SystemView) {
CheckAuthAdministratorAccessIsRequired(it);
}
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT *
+ FROM `Root/Tenant2/.sys/auth_group_members`
+ )").GetValueSync();
+
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
}
- // TODO: fix https://github.com/ydb-platform/ydb/issues/13730
- // and test tenant user and tenant admin
+ { // user6tenant1admin is /Root/Tenant1 admin
+ auto driverConfig = TDriverConfig()
+ .SetEndpoint(env.GetEndpoint())
+ .SetCredentialsProviderFactory(NYdb::CreateLoginCredentialsProviderFactory({
+ .User = "user6tenant1admin",
+ .Password = "password6",
+ }));
+ auto driver = TDriver(driverConfig);
+ TTableClient client(driver);
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT *
+ FROM `Root/.sys/auth_group_members`
+ )").GetValueSync();
+
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
+
+ // TODO: make it work
+ // {
+ // auto it = client.StreamExecuteScanQuery(R"(
+ // SELECT *
+ // FROM `Root/Tenant1/.sys/auth_group_members`
+ // )").GetValueSync();
+
+ // auto expected = R"([
+ // [["group3"];["user3"]];
+ // [["group4"];["user4"]];
+ // ])";
+ // NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
+ // }
+
+ {
+ auto it = client.StreamExecuteScanQuery(R"(
+ SELECT *
+ FROM `Root/Tenant2/.sys/auth_group_members`
+ )").GetValueSync();
+
+ CheckAuthAdministratorAccessIsRequired(it);
+ }
+ }
}
Y_UNIT_TEST(AuthGroupMembers_ResultOrder) {
@@ -3296,7 +3557,7 @@ Y_UNIT_TEST_SUITE(SystemView) {
)").GetValueSync();
auto expected = R"([
- [["/Root/Tenant1"];["root@builtin"]];
+ [["/Root/Tenant1"];["user6tenant1admin"]];
[["/Root/Tenant1/Dir3"];["user3"]];
[["/Root/Tenant1/Dir4"];["root@builtin"]];
[["/Root/Tenant1/Table1"];["root@builtin"]]
@@ -3335,9 +3596,6 @@ Y_UNIT_TEST_SUITE(SystemView) {
])";
NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
}
-
- // TODO: fix https://github.com/ydb-platform/ydb/issues/13730
- // and test tenant user and tenant admin
}
Y_UNIT_TEST(AuthOwners_ResultOrder) {
@@ -3829,8 +4087,10 @@ Y_UNIT_TEST_SUITE(SystemView) {
)").GetValueSync();
auto expected = R"([
+ [["/Root"];["ydb.generic.full"];["root@builtin"]];
[["/Root"];["ydb.generic.use"];["user1rootadmin"]];
[["/Root"];["ydb.generic.use"];["user2"]];
+ [["/Root"];["ydb.generic.use"];["user6tenant1admin"]];
[["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.describe_schema"];["all-users@well-known"]];
[["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.select_row"];["all-users@well-known"]];
[["/Root/.metadata/workload_manager/pools/default"];["ydb.generic.full"];["root@builtin"]];
@@ -3860,8 +4120,10 @@ Y_UNIT_TEST_SUITE(SystemView) {
)").GetValueSync();
auto expected = R"([
+ [["/Root"];["ydb.generic.full"];["root@builtin"]];
[["/Root"];["ydb.generic.use"];["user1rootadmin"]];
[["/Root"];["ydb.generic.use"];["user2"]];
+ [["/Root"];["ydb.generic.use"];["user6tenant1admin"]];
[["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.describe_schema"];["all-users@well-known"]];
[["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.select_row"];["all-users@well-known"]];
[["/Root/.metadata/workload_manager/pools/default"];["ydb.generic.full"];["root@builtin"]];
@@ -3908,8 +4170,10 @@ Y_UNIT_TEST_SUITE(SystemView) {
)").GetValueSync();
auto expected = R"([
+ [["/Root"];["ydb.generic.full"];["root@builtin"]];
[["/Root"];["ydb.generic.use"];["user1rootadmin"]];
[["/Root"];["ydb.generic.use"];["user2"]];
+ [["/Root"];["ydb.generic.use"];["user6tenant1admin"]];
[["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.describe_schema"];["all-users@well-known"]];
[["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.select_row"];["all-users@well-known"]];
[["/Root/.metadata/workload_manager/pools/default"];["ydb.generic.full"];["root@builtin"]];
@@ -3920,9 +4184,6 @@ Y_UNIT_TEST_SUITE(SystemView) {
])";
NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
}
-
- // TODO: fix https://github.com/ydb-platform/ydb/issues/13730
- // and test tenant user and tenant admin
}
Y_UNIT_TEST(AuthPermissions_ResultOrder) {
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-08 02:47:54 +0000